Professional Documents
Culture Documents
NOTICE 13
REFERENCED FRAMEWORKS & SUPPORTING PRACTICES 13
INFORMATION SECURITY PROGRAM (ISP) OVERVIEW 14
INTRODUCTION 14
PURPOSE 14
SCOPE & APPLICABILITY 15
POLICY OVERVIEW 15
VIOLATIONS 15
EXCEPTIONS 15
UPDATES 15
KEY TERMINOLOGY 16
INFORMATION SECURITY PROGRAM STRUCTURE 18
MANAGEMENT DIRECTION FOR INFORMATION SECURITY 18
POLICIES, STANDARDS, PROCEDURES & GUIDELINES STRUCTURE 18
SECURITY & PRIVACY GOVERNANCE (GOV) 19
GOV-01: DIGITAL SECURITY GOVERNANCE PROGRAM 19
GOV-02: PUBLISHING SECURITY & PRIVACY POLICIES 19
GOV-03: PERIODIC REVIEW & UPDATE OF CYBERSECURITY DOCUMENTATION 19
GOV-04: ASSIGNED SECURITY RESPONSIBILITIES 20
GOV-05: MEASURES OF PERFORMANCE 20
GOV-05(A): MEASURES OF PERFORMANCE | KEY PERFORMANCE INDICATORS (KPIS) 20
GOV-05(B): MEASURES OF PERFORMANCE | KEY RISK INDICATORS (KRIS) 21
GOV-06: CONTACTS WITH AUTHORITIES 21
GOV-07: CONTACTS WITH SECURITY GROUPS & ASSOCIATIONS 21
ASSET MANAGEMENT (AST) 22
AST-01: ASSET GOVERNANCE 22
AST-02: ASSET INVENTORIES 22
AST-02(A): ASSET INVENTORIES | UPDATES DURING INSTALLATIONS / REMOVALS 23
AST-02(C): ASSET INVENTORIES | COMPONENT DUPLICATION AVOIDANCE 23
AST-02(G): ASSET INVENTORIES | SOFTWARE LICENSING RESTRICTIONS 23
AST-03: ASSIGNING OWNERSHIP OF ASSETS 23
AST-04: NETWORK DIAGRAMS & DATA FLOW DIAGRAMS (DFDS) 24
AST-05: SECURITY OF ASSETS & MEDIA 24
AST-06: UNATTENDED END-USER EQUIPMENT 24
AST-06(A): UNATTENDED END-USER EQUIPMENT | LAPTOP STORAGE IN AUTOMOBILES 25
AST-07: KIOSKS & POINT OF SALE (POS) DEVICES 25
AST-09: SECURE DISPOSAL OR RE-USE OF EQUIPMENT 26
AST-10: RETURN OF ASSETS 26
AST-11: REMOVAL OF ASSETS 26
AST-12: USE OF PERSONAL DEVICES 27
AST-13: USE OF THIRD-PARTY DEVICES 27
AST-14: USAGE PARAMETERS 27
AST-15: TAMPER PROTECTION 28
AST-15(A): TAMPER RESISTANCE & DETECTION | INSPECTION OF SYSTEMS, COMPONENTS & DEVICES 28
BUSINESS CONTINUITY & DISASTER RECOVERY (BCD) 28
BCD-01: CONTINGENCY PLAN 28
BCD-01(A): CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS 29
BCD-01(B): CONTINGENCY PLAN | COORDINATE WITH EXTERNAL SERVICE PROVIDERS 29
BCD-04: CONTINGENCY PLAN TESTING & EXERCISES 30
BCD-04(A): CONTINGENCY PLAN TESTING | COORDINATED TESTING WITH RELATED PLANS 30
BCD-05: CONTINGENCY PLAN ROOT CAUSE ANALYSIS (RCA) & LESSONS LEARNED 30
BCD-06: CONTINGENCY PLAN UPDATE 31
BCD-08: ALTERNATE STORAGE SITE 31
INTRODUCTION
The Information Security Program (ISP) provides definitive information on the prescribed measures used to establish and enforce
the security program at [Official Company Name] ([Company Name]).
[Company Name] is committed to protecting its employees, partners, clients and [Company Name] from damaging acts that are
intentional or unintentional. Effective cybersecurity is a team effort involving the participation and support of every [Company
Name] user who interacts with data and systems. Therefore, it is the responsibility of every user to know these policies and to
conduct their activities accordingly.
Protecting company data and the systems that collect, process and maintain this information is of critical importance. Consequently,
the security of systems must include controls and safeguards to offset possible threats, as well as controls to ensure confidentiality,
integrity, availability and safety:
Confidentiality – Confidentiality addresses preserving restrictions on information access and disclosure so that access is
restricted to only authorized users and services.
Integrity – Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and
undetected manner.
Availability – Availability addresses ensuring timely and reliable access to and use of information.
Safety – Safety addresses reducing risk associated with embedded technologies that could fail or be manipulated by
nefarious actors.
Commensurate with risk, security measures must be implemented to guard against unauthorized access to, alteration, disclosure
or destruction of data and systems. This also includes protection against accidental loss or destruction.
PURPOSE
The purpose of the Information Security Plan (ISP) is to prescribe a comprehensive framework for:
Creating a leading practice-based Information Security Management System (ISMS);
Protecting the confidentiality, integrity, availability and safety of [Company Name] data and systems;
Protecting [Company Name], its employees and its clients from illicit use of [Company Name] systems and data;
Ensuring the effectiveness of security controls over data and systems that support [Company Name]’s operations.
Recognizing the highly-networked nature of the current computing environment and provide effective company-wide
management and oversight of those related cybersecurity risks; and
Providing for the development, review and maintenance of minimum security controls required to protect [Company
Name]’s data and systems.
The formation of these cybersecurity policies is driven by many factors, with the key factor being a risk. These policies set the ground
rules under which [Company Name] operates and safeguards its data and systems to both reduce risk and minimize the effect of
potential incidents.
These policies, including their related control objectives, standards, procedures and guidelines, are necessary to support the
management of information risks in daily operations. The development of policies provides due care to ensure [Company Name]
users understand their day-to-day security responsibilities and the threats that could impact the company.
Implementing consistent security controls across the company will help [Company Name] comply with current and future legal
obligations to ensure long-term due diligence in protecting the confidentiality, integrity and availability of [Company Name] data.
Some standards apply specifically to persons with a specific job function (e.g., a System Administrator); otherwise, all personnel
supporting [Company Name] business functions shall comply with the standards. [Company Name] departments shall use these
standards or may create a more restrictive standard, but none that are less restrictive, less comprehensive or less compliant than
these standards.
These policies do not supersede any other applicable law or higher-level company directive or existing labor management
agreement in effect as of the effective date of this policy.
Appendix E (Digital Security Roles & Responsibilities) provides a detailed description of [Company Name] user roles and
responsibilities, in regards to Information Security.
[Company Name] reserves the right to revoke, change or supplement these policies, standards and guidelines at any time without
prior notice. Such changes shall be effective immediately upon approval by management unless otherwise stated.
POLICY OVERVIEW
To ensure an acceptable level of cybersecurity risk, [Company Name] is required to design, implement and maintain a coherent set
of policies, standards, procedures and guidelines to manage risks to its data and systems.
The DSP addresses the policies, standards and guidelines. Data / process owners, in conjunction with asset custodians, are
responsible for creating, implementing and updated operational procedures to comply with DSP requirements.
[Company Name] users are required to protect and ensure the Confidentiality, Integrity, Availability and Safety (CIAS) of data and
systems, regardless of how its data is created, distributed or stored.
Security controls will be tailored accordingly so that cost-effective controls can be applied commensurate with the risk and
sensitivity of the data and system; and
Security controls must be designed and maintained to ensure compliance with all legal requirements.
VIOLATIONS
Any [Company Name] user found to have violated any policy, standard or procedure may be subject to disciplinary action, up to and
including termination of employment. Violators of local, state, Federal, and / or international law may be reported to the appropriate
law enforcement agency for civil and / or criminal prosecution.
EXCEPTIONS
While every exception to a standard potentially weakens protection mechanisms for [Company Name] systems and underlying data,
occasionally exceptions will exist. When requesting an exception, users are required to submit a business justification for deviation
from the standard in question.
UPDATES
Updates to the Information Security Plan (ISP) will be announced to employees via management updates or email announcements.
Changes will be noted in the Record of Changes to highlight the pertinent changes from the previous policies, procedures, standards
and guidelines.
Adequate Security. A term describing protective measures that are commensurate with the consequences and probability of loss,
misuse or unauthorized access to or modification of information.
Asset: A term describing any data, device, application, service or other component of the environment that supports information-
related activities. An asset is a resource with economic value that a [Company Name] owns or controls.
Asset Custodian: A term describing a person or entity with the responsibility to assure that the assets are properly maintained, are
used for the purposes intended and that information regarding the equipment is properly documented.
Cardholder Data Environment (CDE): A term describing the area of the network that possesses sensitive data or sensitive
authentication data and those systems and segments that directly attach or support cardholder processing, storage or transmission.
Adequate network segmentation, which isolates systems that store, process or transmit sensitive data from those that do not, may
reduce the scope of the sensitive data environment and thus the scope of the Payment Card Industry Data Security Standard (PCI
DSS) assessment
Cloud Computing. A term describing a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and
released with minimal management effort or service provider interaction. It also includes commercial offerings for software-as-a-
service, infrastructure-as-a-service and platform-as-a-service.
Control: A term describing any management, operational or technical method that is used to manage risk. Controls are designed to
monitor and measure specific aspects of standards to help [Company Name] accomplish stated goals or objectives. All controls map
to standards, but not all standards map to Controls.
Control Objective: A term describing targets or desired conditions to be met that are designed to ensure that policy intent is met.
Where applicable, Control Objectives are directly linked to an industry-recognized leading practice to align [Company Name] with
accepted due care requirements.
Data: A term describing an information resource that is maintained in electronic or digital format. Data may be accessed, searched
or retrieved via electronic networks or other electronic data processing technologies. Appendix A (Data Classification & Handling
Guidelines) provides guidance on data classification and handling restrictions.
Data / Process Owner: A term describing a person or entity that has been given formal responsibility for the security of an asset,
asset category, process or the data hosted on the asset or process. It does not mean that the asset belongs to the owner in a legal
sense. Data / process owners are formally responsible for making sure that assets are secure while they are being developed,
produced, maintained and used.
Encryption: A term describing the conversion of data from its original form to a form that can only be read by someone that can
reverse the encryption process. The purpose of encryption is to prevent unauthorized disclosure of data.
Guidelines: A term describing recommended practices that are based on industry-recognized leading practices. Unlike Standards,
Guidelines allow users to apply discretion or leeway in their interpretation, implementation or use.
Information Security: A term that covers the protection of information against unauthorized disclosure, transfer, modification or
destruction, whether accidental or intentional. The focus is on the Confidentiality, Integrity, Availability and Safety (CIAS) of data.
Information Technology (IT). A term includes computers, ancillary equipment (including imaging peripherals, input, output and
storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing
unit of a computer, software, firmware and similar procedures, services (including support services) and related resources.
Personal Data / Personal Information (PI). A term describing any information relating to an identified or identifiable natural person
("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that person. 14
PI Controller / Data Controller. A term describing the privacy stakeholder (or privacy stakeholders) that determines the purposes
and means for processing Personal Information (PI) other than natural persons who use data for personal purposes
PI Principal / Data Principle. A term describing the natural person to whom the Personal Information (PI) relates
PI Processor / Data Processor. A term describing the privacy stakeholder that processes Personal Information (PI) on behalf of and
in accordance with the instructions of a PI controller
Policy: A term describing a formally established requirement to guide decisions and achieve rational outcomes. Essentially, a policy
is a statement of expectation that is enforced by standards and further implemented by procedures.
Procedure: A term describing an established or official way of doing something, based on a series of actions conducted in a certain
order or manner. Procedures are the responsibility of the asset custodian to build and maintain, in support of standards and policies.
Sensitive Data: A term that covers categories of data that must be kept secure. Examples of sensitive data include sensitive Personal
Information (sPI), Electronic Protected Health Information (ePHI) and all other forms of data classified as Restricted or Confidential
in Appendix A (Data Classification & Handling Guidelines).
Sensitive Personal Data / Sensitive Personal Information (sPI): A term describing personal data, revealing:
The first name or first initial and last name, in combination with any one or more of the following data elements: 15
o Social Security Number (SSN) / Taxpayer Identification Number (TIN) / National Identification Number (NIN);
o Driver License (DL) or another government-issued identification number (e.g., passport, permanent resident card,
etc.);
o Financial account number; or
o Payment card number (e.g., credit or debit card);
Racial or ethnic origin;
Political opinions;
Religious or philosophical beliefs;
Trade-union membership;
Physical or mental health;
Sex life and sexual orientation;
Genetic data; and / or
Biometric data.16
Standard: A term describing formally established requirements in regard to processes, actions and configurations.
System: A term describing an asset; a system or network that can be defined, scoped and managed. Includes, but is not limited to,
computers, workstations, laptops, servers, routers, switches, firewalls and mobile devices.
Target Audience: A term describing the intended group for which a control or standard is directed.
An Information Security Management System (ISMS) focuses on cybersecurity management and technology-related risks. The
governing principle behind [Company Name]’s ISMS is that, as with all management processes, the ISMS must remain effective and
efficient in the long-term, adapting to changes in the internal organization and external environment.
In accordance with leading practices, [Company Name]’s ISMS incorporates the typical "Plan-Do-Check-Act" (PDCA) or Deming Cycle,
approach:
Plan: This phase involves designing the ISMS, assessing IT-related risks and selecting appropriate controls.
Do: This phase involves implementing and operating the appropriate security controls.
Check: This phase involves reviewing and evaluating the performance (efficiency and effectiveness) of the ISMS.
Act: This involves making changes, where necessary, to bring the ISMS back to optimal performance.
Management Intent: The purpose of the Security & Privacy Governance (GOV) policy is to specify the development, proactive
management and ongoing review of [Company Name]’s security and privacy program.
Policy: [Company Name] shall protect the confidentiality, integrity, availability and safety of its data and systems, regardless of how
its data is created, distributed or stored. Digital security controls will be tailored accordingly so that cost-effective controls can be
applied commensurate with the risk and sensitivity of the data and system, in accordance with all statutory, regulatory and
contractual obligations.
Supporting Documentation: This policy is supported by the following control objectives, standards and guidelines.
Standard: [Company Name]’s security program shall be represented in a single document, the Information Security Plan (ISP) that:
(a) Shall be reviewed and updated at least annually; and
(b) Disseminated to the appropriate parties to ensure all [Company Name] personnel understand their applicable
requirements.
Guidelines: The security plans for individual systems and the organization-wide DSP together provide complete coverage for all
cybersecurity and privacy-related controls employed within the organization.
Enhancements: None
Standard: [Company Name]’s security and privacy policies and standards shall be represented in a consolidated document, the
Information Security Plan (ISP) that shall be:
(a) Endorsed by executive management; and
(b) Disseminated to the appropriate parties to ensure all [Company Name] personnel understand their applicable
requirements.
Guidelines: An organization’s cybersecurity policies create the roadmap for implementing cybersecurity and privacy measures to
protect its most valuable assets. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it.
Enhancements: None
Standard: [Company Name]’s business leadership (or other accountable business role or function) shall review the Information
Security Plan (ISP) at planned intervals or as a result of changes to the organization (e.g., mergers, acquisitions, partnerships, new
products, etc.) to ensure its continuing alignment with the security strategy, risk posture, effectiveness, accuracy, relevance and
applicability to statutory, regulatory and / or contractual compliance obligations.
Management Intent: The purpose of the Web Security (WEB) policy is to address the risks associated with Internet-accessible
technologies.
Policy: [Company Name] shall implement the principles of “least privilege” and “least functionality” are utilized to reduce risks
associated with managing Internet-accessible technologies and to ensure appropriate security and privacy controls are in place to
satisfy applicable statutory, regulatory and contractual requirements.
Supporting Documentation: This policy is supported by the following control objectives, standards and guidelines.
Standard: The Chief Information Security Officer (CISO) is responsible for developing, implementing and governing processes to
ensure Internet-exposed systems and services are:
(a) Designed and implemented to ensure both security and privacy principles exist by default;
(b) Properly maintained to reduce the attack surface area; and
(c) Regularly reviewed to ensure known vulnerabilities are remediated in a timeline manner, based on the risk posed from the
threat.
Guidelines: None
Enhancements: None
Standard: [Company Name]’s IT department is required to implement and configure DMZs in accordance with industry-recognized
leading practices.
Guidelines: None
Enhancements: None
APPENDICES
Base + NIST 800-171 Security Program - Version 2018.5 Page 208 of 241
Restricted information is highly valuable, highly sensitive business information and the level
of protection is dictated externally by legal and / or contractual requirements. Restricted
Definition
information must be limited to only authorized employees, contractors and business
partners with a specific business need.
Restricted · SIGNIFICANT DAMAGE would occur if Restricted information were to become available to
unauthorized parties either internal or external to [Company Name].
Potential
Impact of Loss · Impact could include negatively affecting [Company Name]’s competitive position, violating
regulatory requirements, damaging the company’s reputation, violating contractual
requirements and posing an identity theft risk.
Confidential information is highly valuable, sensitive business information and the level of
Definition
protection is dictated internally by [Company Name]
Public · NO DAMAGE would occur if Public information were to become available to parties either
Potential internal or external to [Company Name].
Impact of Loss
· Impact would not be damaging or a risk to business operations.
Base + NIST 800-171 Security Program - Version 2018.5 Page 209 of 241
A-2: LABELING
Labeling is the practice of marking a system or document with its appropriate sensitivity level so that others know how to
appropriately handle the information. There are several methods for labeling information assets.
Printed. Information that can be printed (e.g., spreadsheets, files, reports, drawings or handouts) should contain one of
the following confidentiality symbols in the document footer on every printed page (see below) or simply the words if the
graphic is not technically feasible. The exception for labeling is with marketing material, since marketing material is
primarily developed for public release.
Displayed. Restricted or Confidential information that is displayed or viewed (e.g., websites, presentations, etc.) must be
labeled with its classification as part of the display.
Base + NIST 800-171 Security Program - Version 2018.5 Page 210 of 241
A-5: DATA HANDLING GUIDELINES
Base + NIST 800-171 Security Program - Version 2018.5 Page 211 of 241
▪ Posting to intranet sites ▪ Posting to publicly- ▪ Posting to publicly-
is prohibited, unless it is accessible Internet sites accessible Internet sites
pre-approved to contain is prohibited. is prohibited
Restricted data.
Web Sites No special requirements
▪ Posting to Internet sites
is prohibited, unless it is
pre-approved to contain
Restricted data.
▪ Confirm participants on ▪ Confirm participants on
Telephone the call line the call line No special requirements No special requirements
▪ Ensure private location ▪ Ensure private location
▪ Physically destroy the ▪ Physically destroy the ▪ Physically destroy the ▪ Physically destroy the
hard drives and media hard drives and media or hard drives and media or hard drives and media or
Storage Media
▪ Requires use of use commercial use commercial use commercial
(Hard Disk Drives
company-approved overwrite software to overwrite software to overwrite software to
(HDDs), Flash drives,
vendor for destruction destroy the data on the destroy the data on the destroy the data on the
tapes, CDs / DVDs,
media (quick reformat of media media
etc.)
the media is not
sufficient)
Base + NIST 800-171 Security Program - Version 2018.5 Page 212 of 241
APPENDIX B: DATA CLASSIFICATION EXAMPLES
The table below shows examples of common data instances that are already classified to simplify the process. This list is not inclusive
of all types of data, but it establishes a baseline for what constitutes data sensitivity levels and will adjust to accommodate new
types or changes to data sensitivity levels, when necessary.
IMPORTANT: You are instructed to classify data more sensitive than this guide, if you feel that is warranted by the content.
Internal Use
Confidential
Restricted
Data
Sensitive Data Elements
Class
Public
Social Security Number (SSN) X
Employer Identification Number (EIN) X
Client or Employee Personal Data
Medical Data X
Workers Compensation Claim Data X
Education Data X
Dependent or Beneficiary Data X
Business Plan (including marketing strategy) X
Marketing
Data
Legal Billings X
Strategic
Budget-Related Data X
Unannounced Merger and Acquisition Information X
Trade Secrets (e.g., design diagrams, competitive information, etc.) X
Electronic Payment Information (Wire Payment / ACH) X
Operating
Paychecks X
Incentives or Bonuses (amounts or percentages) X
Stock Dividend Information X
Bank Account Information X
Base + NIST 800-171 Security Program - Version 2018.5 Page 213 of 241
Investment-Related Activity X
Account Information (e.g., stocks, bonds, mutual funds, money markets, etc.) X
Debt Amount Information X
SEC Disclosure Information X
Base + NIST 800-171 Security Program - Version 2018.5 Page 214 of 241
APPENDIX C: DATA RETENTION PERIODS
The following schedule highlights suggested retention periods* for some of the major categories of data:
* Retention periods are measured in years, after the event occurrence (e.g., termination, expiration, contract, filing, etc.)
Base + NIST 800-171 Security Program - Version 2018.5 Page 215 of 241
Attendance Records 3
Employee benefit plans 7
Employment applications (not hired) 3
Garnishments 3
I-9 Forms 3
Medical and exposure records - related to toxic substances Permanent
Personnel Organization Charts Permanent
Records OSHA Logs 5
OSHA Training Documentation 5
Patents Permanent
Pension plan agreement Permanent
Personnel files 4
Profit sharing agreement Permanent
Time cards and daily time reports 3
Category Type of Record Retention Period
Fire inspection reports 7
Group disability records 7
HIPAA-related documentation 6
Insurance
Insurance policies 7
Safety records 3
Settled insurance claims 7
Category Type of Record Retention Period
Deeds Permanent
Mortgages 3
Plans & blueprints Permanent
Real Estate
Plant cost ledger Permanent
Property appraisals Permanent
Property register Permanent
Category Type of Record Retention Period
Server audit trail history 1
Workstation audit trail history 1
Miscellaneous Router audit trail history Permanent
Firewall audit trail history Permanent
Visitor logs 1
Base + NIST 800-171 Security Program - Version 2018.5 Page 216 of 241
APPENDIX D: BASELINE SECURITY CATEGORIZATION GUIDELINES
Assets and services are categorized by two primary attributes: (a) the potential impact they pose from misuse and (b) the data
classification level of the data processed, stored or transmitted by the asset or process. These two attributes combine to establish
a basis for controls that should be assigned to that system or asset. This basis is called an Assurance Level (AL).
Base + NIST 800-171 Security Program - Version 2018.5 Page 217 of 241
Where the data sensitivity and SC levels meet is considered the Assurance Levels (AL). The AL represents the “level of effort” that is
needed to properly ensure the Confidentiality, Integrity, Availability and Safety (CIAS) of the asset or process.
SC-1
Enhanced Enhanced Enhanced Enhanced
Mission Critical
Criticality
Safety &
SC-2
Enhanced Enhanced Basic Basic
Business Critical
SC-3
Enhanced Basic Basic Basic
Non-Critical
Figure D-1: Asset Categorization Risk Matrix
Base + NIST 800-171 Security Program - Version 2018.5 Page 218 of 241